9.3
CVE-2026-7154 - Totolink A8000RU CGI cstecgi.cgi setAdvancedInfoShow os command injection
A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument tty_server can lead to os command injection. The attack can be launched remotβ¦
9.3
CVE-2026-7153 - Totolink A8000RU CGI cstecgi.cgi setMiniuiHomeInfoShow os command injection
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sys_info results in os command injection. The attack can bβ¦
8.8
CVE-2026-6741 - LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-custβ¦
The LatePoint β Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires β¦
9.3
CVE-2026-7152 - Totolink A8000RU CGI cstecgi.cgi setTelnetCfg os command injection
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument telnet_enabled leads to os command injection. It is possible to launch the attacβ¦
8.7
CVE-2026-7151 - Tenda HG3 formIPv6Routing formUploadConfig stack-based overflow
A vulnerability was determined in Tenda HG3 2.0. Impacted is the function formUploadConfig of the file /boaform/formIPv6Routing. This manipulation of the argument destNet causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and β¦
7
CVE-2026-5394 - Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling
An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.
5
CVE-2026-40970 - Spring Boot: Spring Boot: Missing hostname verification in Elasticsearch auto-configuration allows β¦
When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0β4.0.5; upgrade to 4.0.6 or later per vendor advisory.
5.3
CVE-2026-7150 - dh1011 auto-favicon MCP Tool server.py generate_favicon_from_url server-side request forgery
A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generate_favicon_from_url of the file src/auto_favicon/server.py of the component MCP Tool. The manipulation of the argument image_url results in server-side request forgβ¦
6.9
CVE-2026-7149 - dexhunter kaggle-mcp server.py prepare_kaggle_dataset path traversal
A vulnerability has been found in dexhunter kaggle-mcp up to 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d. This vulnerability affects the function prepare_kaggle_dataset of the file src/kaggle_mcp/server.py. The manipulation of the argument competition_id leads to path traversal. The attack is possibleβ¦
5.3
CVE-2026-7148 - CodeAstro Online Classroom addnewfaculty sql injection
A flaw has been found in CodeAstro Online Classroom 1.0. This affects an unknown part of the file /addnewfaculty. Executing a manipulation of the argument fname can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.